(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force)
How can agencies and industry implement and sustain threat data sharing and create a robust, timely and systemic sharing environment (more than just incidents) that can allow agencies to operate collectively government-wide and with industry and in real time rather than independently with little peripheral view of threats and responses?
Require the establishment of an outcome-based Cyber Governance Framework and federal governance entity* to set direction, make decisions, provide oversight and information sharing and ensure transparency of management planning and execution of a cohesive, integrated cyber program for the federal government as a whole; use the Framework to guide the development and implementation of frameworks for each department and agency .
* The overall federal governance entity should have very senior representatives and decision-makers with IT, risk, and cyber knowledge from the White House, OMB, DHS, DOD, OPM, IC, NIST, Cyber Command, and the IG community.
(non-ITAPS) The Government has significant threat information that can be more effectively shared across the many venues from the civil and military organizations (US CERT, Cyber Command, Intelligence Community, Research Partners, etc.). Some of this may be very sensitive and may have to be filtered and sanitized. Recommend a National Government Cyber Board overseeing Cyber security across the entire Government setting direction, making decisions on priorities and resources, overseeing implementation and performance, ensuring full objective transparency and enhanced information sharing.
(non-ITAPS) The “Cyber Board” may also establish an Industry Information Sharing Committee to oversee the processes and sharing of best practices, threat intelligence, and privileged and sensitive information. (Note: may require legislation similar to the S 754 and HR 1560 with proprietary and liability protection to implement the various aspects of information sharing for industry and non-federal entities sharing with the federal government.)
Engage industry and vendors in the development of strategy and information sharing, as most technologies and services the government networks rely upon are developed and delivered by industry partners.